[KirillPanov]

Because they can.

They are one of the CVE gods, so they can veto issuance of CVEs against their products. That kind of power means you can move as slowly as you please.

[semiquaver]

BS. Being a CVE numbering authority (of which there are several hundred) does not grant a veto against CVE issuance. They are allowed to issue CVEs on their products but by no means are they the only authority that may issue them for Apple vulnerabilities.

[viraptor]

Also, you don't need to issue a CVE to publish a vulnerability. You just make it public regardless and say CVE was denied for it.